K
Q

kubectl connect with remote cluster from scratch

5/12/2018

I've created a local Kubernetes cluster using ansible. Everything is running but now I try to connect my kubectl with the cluster (in the VM's).

My cluster is running on https://IP:6443

First I got:

$ kubectl get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?

So I tried this solution:

kubectl config set-credentials kubeuser/IP --username=kubeuser --password=kubepassword
kubectl config set-cluster IP --insecure-skip-tls-verify=true --server=https://IP:6443
kubectl config set-context default/IP/kubeuser --user=kubeuser/IP --namespace=default --cluster=IP
kubectl config use-context default/IP/kubeuser

and tried again:

$ kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:anonymous" cannot list pods in the namespace "default"

I understand I need to create a clusterrolebinding but I still need an initial "admin-ownership" for that? What step am I missing or doing wrong so I can access my cluster with kubectl and get my pods?

-- DenCowboy
kubectl
kubernetes
rbac

Similar Questions

Setup "Stackdriver Kubernetes Monitoring" for AWS
NGINX controller install on Azure Kubernetes service
Kubernetes - How to use files from a directory in a pod?
How to update kubernetes deployment without updating image
Pod shows as "Terminating" after node is shutdown
Azure kubernetes - Secure pod access to resources
how to monitor multiple instances of docker using Prometheus?
How to use an init container to check if MySQL is ready for connections?
Grafana dashboard not working with Ingress
Jenkins Container - Docker installation - docker daemon not working

1 Answer

5/14/2018

Kubectl is a command line tool for remote management of Kubernetes cluster.

Kubectl is using a config file you must have to connect to the cluster. It is possible that your config file is inconsistent due to a lot of major or minor changes. If further analyses of the issues does not show good results, try to rm -f ~/.kube/config and start it from scratch.

As I see, you suspect that the problem is with the self signed certificates. It may require updating cluster root Certificate Authority (CA) on clients, then refreshing the local list for valid certificates.

Go to your local CA directory, check if ca.crt file exists, then copy it to the clients. For clients, perform the following operations:

sudo cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
sudo update-ca-certificates

I agree with the suggestion provided by Matthew L. Daniel:

cluster: tag accepts either the filename of the CA certificate or an "inline" base64-ed version of the PEM you can see it with:

kubectl config set-cluster $foo --certificate-authority=... --embed-certs=true

or you can cheat and use --insecure-skip-tls-verify=true to switch off the CA verification for testing things

If you do not have a certificate generated during the instalation of Kubernetes, I suggest starting with Kubernetes TLS documentation. You may have a look at Kubernetes cloud providers like GKE or AKS - they give a possibility to create Kubernetes config file remotely with all certificates included, and then download it to a local ~/.kube directory. Maybe this will solve some issues with the config if you adopt it to local installation. It works like a charm and saves a lot of time. If you’re still undecided, please provide here the output of kubectl config view for us to help you with your trouble. (Please remove sensitive data from it before posting here).

-- d0bry
Source: StackOverflow